DevCon #2016Securing AWS Infrastructure

About the speaker- Neil Alwin Hermosilla- Devops Engineer- Blogger [https://cebuserver.com]- Cebuano Native- Ansible Lover- Die-hard Debian User

Meet the threat

Focusing on ...- AWS Key Management- AWS IAM Management- AWS AMI Management- AWS Security Groups- Server Monitoring- Alert Notification- Art of Monitoring

Key Management

Key Management

Key Management

AWS IAM3rd Party Providers

- Make sure you don’t give full permission to execute unauthorized API Calls.- Make sure to evaluate permission every quarter- Use it dedicatedly

User

- Control resource access permission (ACL)- Utilize ReadOnly/Full policy- Don’t enable “password” (stick with access-key/secret-key)

AWS IAMGroup

- Group users properly - Best practice is to group it via Department/Team

- Developer Support - QA Engineer- Developer Release - Business Groups- System Admin I - Project Managers- System Admin II

Roles

- Utilize creating IAM Roles (enabling resource triggers from one or more services). Better than getting passwords all over the place.

AWS AMI- Evaluate preferred Distro- Evaluate AMI format/type- Evaluate AMI builds (components)- Evaluate defaults (libraries to be added)- Evaluate base softwares (pre-installed)

- Initiate a snapshot of the server- Use the snapshot to spawn additional machines

AWS Security GroupsThings to be aware:

- If instance is created via classic mode (default), once it’s fired up, there is no way for you to add more security groups to it.

*BETTER UTILIZE VPC -- SEGREGATE THE NETWORK*

- Always create a “spare-tire” Security-Group. Remote IP Whitelisting

Server Monitoring

Alert Notification

DEVOPSHQ.ORG@NeilUpbeta01

CebuServer.Com

AWSUGPH